It is said that VPN service providers in China, such as ExpressVPN or Astrill, may not have the same security encryption anymore. (Photo : YouTube/Best VPN)
It is said that VPN service providers in China, such as ExpressVPN or Astrill, may not have the same security encryption anymore. According to a report from Tech in Asia, the infamous Great Firewall of China was accessed by an Infosec professional named Marc Brevand, and found out that two of the well-known VPN service providers lack security.
It is a known fact that ExpressVPN and Astrill are the big names in China when it comes to VPN services. VPNs are normally used for protection and to prevent the government from monitoring personal internet traffic. In China, there is a need to evade the Great Firewall of China, especially for travelers, because the country's firewall is set to block Google services that most people often use. Without evading the Great Firewall of China, there would be no access to Gmail, hangouts, Google map and drive, according to a blog Bevand posted recently.
As stated in his blog, Brevand subscribed to ExpressVPN while he is in China, and upon using its service, he discovered that the said provider is using a 1024-bit key encryption. VPNs should use at least 2048-bit RSA key in encrypting internet connection. For VPNs who use 1024-bit key RSA, there is a huge possibility that internet security will be breached, added Brevand on his blog.
Brevand added as a fact that China may already be watching over some, or possibly all, ExpressVPN subscribers because of its weak RSA key encryption. With regards to this matter, he reached out to ExpressVPN's management, and the company's response to him states, "We agree that the issue you have raised is important, and you're correct in that it has been on our backlog to fix for some time. We've now decided to prioritize the upgrade for the next month."
Brevand mentioned that he also raised this issue to Astril, and on his updated blog, he received a personal email coming from the company's Chief Security Office that says "Effective today 1024bit cert (ASCA) has been removed from PKI and all clients are required now to use 2048bit cert."
